Re: Firefox addon security question

Boris Zbarsky Fri, 18 Dec 2009 14:15:26 -0800

On 12/18/09 1:44 PM, EricLaw wrote:

Quick question for you… When a XUL file in an installed Firefox addon
pulls in a remote script via HTTP:


e.g. inside firefoxOverlay.xul:

   <script src="http://example.com/extensions/script.js?ff"/>

...is that script accorded the permissions of the chrome:// security
zone?


Yes.

If so, that can enable a remote EoP if there's a MiTM attack, right?


Yes.  Don't do that.

-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security

Re: Firefox addon security question

Reply via email to